| commit | 6ec13c8f759962d29c0ac3a69b64de705116065d | [log] [tgz] |
|---|---|---|
| author | Nan Zhou <nanzhoumails@gmail.com> | Thu Dec 30 11:34:50 2021 -0800 |
| committer | Nan Zhou <nanzhoumails@gmail.com> | Thu Mar 24 15:57:07 2022 +0000 |
| tree | 301450c4c6e2de1ad1e66bbcdf03e222145ac5a4 | |
| parent | e869bb63df5f492a98b49786f78e584fd121e30f [diff] |
Authorities list: implement InstallAll & ReplaceAll This change implements the design in https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49317. InstallAll: enumerate all certs in the input file and install all of them; ReplaceAll: replace all certs with the new authorities list Atomic: implemented via creating temporary folder and issuing swap. Added ability to unit test service reload as well. Tested: 1. Unit tests 2. Tested loading/deleting authorities list in QEMU. ``` root@xxx:~# busctl call xyz.openbmc_project.Certs.Manager.Authority.Ldap \ > /xyz/openbmc_project/certs/authority/ldap \ > xyz.openbmc_project.Certs.InstallAll \ > InstallAll s /tmp/trust_bundle.pem as 3 "/xyz/openbmc_project/certs/authority/ldap/1" "/xyz/openbmc_project/certs/authority/ldap/2" "/xyz/openbmc_project/certs/authority/ldap/3" root@xxx:~# ls /etc/ssl/certs/authority/ 10a5d8b0.0 5b49ceaa.0 f3ddaa86.0 file0qmgPV fileDbjTzW fileR4TtjO trust_bundle root@xxx:~# busctl call xyz.openbmc_project.Certs.Manager.Authority.Ldap /xyz/openbmc_project/certs/authority/ldap xyz.openbmc_project.Certs.ReplaceAll ReplaceAll s /tmp/trust_bundle.pem root@xxx:~# ls /etc/ssl/certs/authority/ 10a5d8b0.0 5b49ceaa.0 f3ddaa86.0 file1obsEZ fileOqVoaC filerUBZCj trust_bundle root@xxx:~# wget -qO- http://localhost/redfish/v1/Managers/bmc/Truststore/Certificates/ { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/", "@odata.type": "#CertificateCollection.CertificateCollection", "Description": "A Collection of TrustStore certificate instances", "Members": [ { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1" }, { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/2" }, { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/3" } ], "Members@odata.count": 3, "Name": "TrustStore Certificates Collection" } root@xxx:~# wget -qO- http://localhost/redfish/v1/Managers/bmc/Truststore/Certificates/1 { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1", "@odata.type": "#Certificate.v1_0_0.Certificate", "CertificateString": "-----BEGIN CERTIFICATE-----\nMIICZTCCAgugAwIBAgIUANIf0jvaRNq1MdwxrXPnk25VrmYwCgYIKoZIzj0EAwIw\nVTETMBEGA1UEChMKY2FtcHVzLWFzaDENMAsGA1UECxMEcm9vdDEvMC0GA1UEAwwm\ne2QyZWQ1MGJkLTczMTQtNDgxZC04OWE0LTVkMjkxMmYyMGQ5NH0wIBcNNzAwMTAx\nMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMFUxEzARBgNVBAoTCmNhbXB1cy1hc2gx\nDTALBgNVBAsTBHJvb3QxLzAtBgNVBAMMJntkMmVkNTBiZC03MzE0LTQ4MWQtODlh\nNC01ZDI5MTJmMjBkOTR9MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lp/J3Gj\nc4TKubuYtzpxu2D3STlwTwEjgFbTaLZnQ0KXt7pBrcYc3yY1t74WBluvzM9iok6Q\nDcEFX5aIYcoaAKOBtjCBszAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0lBCIwIAYIKwYB\nBQUHAwEGCCsGAQUFBwMCBgorBgEEAdZ5AgcBMA8GA1UdEwEB/wQFMAMBAf8wHQYD\nVR0OBBYEFIPrX7lbeJhvHHcQ7iYOry50aYKYMBcGA1UdIAQQMA4wDAYKKwYBBAHW\neQIFBDAtBgNVHR4BAf8EIzAhoB8wHYYbLmNhbXB1cy1hc2gucHJvZC5nb29nbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIAS/ZrMPBj992vVVplwzH9DWDCSMu1rCgvqw\nam3byOT1AiEAyrr3FAP+7js7z+h8d94hTyy1kTn+4NOvUWrVzHUmJI8=\n-----END CERTIFICATE-----\n", "Description": "TrustStore Certificate", "Id": "1", "Issuer": { "CommonName": "{d2ed50bd-7314-481d-89a4-5d2912f20d94}", "Organization": "campus-ash", "OrganizationalUnit": "root" }, "KeyUsage": [ "CRLSigning", "ServerAuthentication", "ClientAuthentication", "" ], "Name": "TrustStore Certificate", "Subject": { "CommonName": "{d2ed50bd-7314-481d-89a4-5d2912f20d94}", "Organization": "campus-ash", "OrganizationalUnit": "root" }, "ValidNotAfter": "9999-12-31T23:59:59+00:00", "ValidNotBefore": "1970-01-01T00:00:00+00:00" } ``` Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: I495f5c1c1c4a2ac880dd3233be31b84a78d79a43
Certificate management allows to replace the existing certificate and private key file with another (possibly CA signed) Certificate key file. Certificate management allows the user to install both the server and client certificates.
This project can be built with meson. The typical meson workflow is: meson builddir && ninja -C builddir.
Multiple instances of phosphor-certificate-manager are usually run on the bmc to support management of different types of certificates.
Usage: ./phosphor-certificate-manager [options]
Options:
--help Print this menu
--type certificate type
Valid types: client,server,authority
--endpoint d-bus endpoint
--path certificate file path
--unit=<name> Optional systemd unit need to reload
Purpose: Server https certificate
./phosphor-certificate-manager --type=server --endpoint=https \ --path=/etc/ssl/certs/https/server.pem --unit=bmcweb.service
Purpose: Client certificate validation
./phosphor-certificate-manager --type=authority --endpoint=ldap \ --path=/etc/ssl/certs/authority --unit=bmcweb.service
Purpose: LDAP client certificate validation
./phosphor-certificate-manager --type=client --endpoint=ldap \ --path=/etc/nslcd/certs/cert.pem
phosphor-certificate-manager is an implementation of the D-Bus interface defined in this document.
D-Bus service name is constructed by "xyz.openbmc_project.Certs.Manager.{Type}.{Endpoint}" and D-Bus object path is constructed by "/xyz/openbmc_project/certs/{type}/{endpoint}".
Take https certificate management as an example.
./phosphor-certificate-manager --type=server --endpoint=https \ --path=/etc/ssl/certs/https/server.pem --unit=bmcweb.service
D-Bus service name is "xyz.openbmc_project.Certs.Manager.Server.Https" and D-Bus object path is "/xyz/openbmc_project/certs/server/https".
OpenBMC bmcweb exposes various REST APIs for certificate management on the BMC, which leverages functionalities of phosphor-certificate-manager via D-Bus.